Description
Description
commands.md (rendered at
https://docs.nvidia.com/nemoclaw/latest/reference/commands.html, "nemoclaw
onboard" section) makes this explicit claim about the NEMOCLAW_POLICY_TIER
environment variable:
"If the value does not match a known tier, onboarding exits with an
error listing the valid options."
On NemoClaw v0.0.44, this is not true. Setting NEMOCLAW_POLICY_TIER to a
bogus value does NOT cause onboarding to exit during parsing/preflight.
Onboarding proceeds through:
[1/8] Preflight checks (passes)
[2/8] Starting OpenShell gateway (passes — reuses healthy gateway)
[3/8] Configuring inference (NIM) (fails because of an unrelated reason,
usually a missing credential)
so the invalid tier value is silently accepted (or silently ignored)
through at least preflight and gateway setup. A user who fat-fingers
the tier name will only learn about it later, after several steps of
side-effectful work — and only if they happen to look at the
log carefully. In a CI run that pre-populates the API key, an invalid
tier could pass through entirely unnoticed.
Environment
Device: ipp2-1558 (10.176.178.100), x86_64 server, 32 vCPU / 125 GB RAM, NVIDIA A100 80GB PCIe
OS: Ubuntu 24.04.4 LTS (Linux 6.17.0-23-generic)
Architecture: x86_64
Node.js: v22.x (installed via nvm by NemoClaw installer)
Docker: 29.5.0
OpenShell CLI: 0.0.39
NemoClaw: v0.0.44
OpenClaw: v2026.4.24 (test sandbox) / N/A for this bug
Steps to Reproduce
1. Read the "NEMOCLAW_POLICY_TIER" paragraph in commands.md (under the
nemoclaw onboard section):
"If the value does not match a known tier, onboarding exits with an
error listing the valid options."
2. Run onboarding with a bogus tier value:
NEMOCLAW_POLICY_TIER=invalid_tier \
nemoclaw onboard --non-interactive --yes-i-accept-third-party-software
3. Observe what happens.
Expected Result
Onboarding exits before step [1/8] preflight, with an error like:
Invalid NEMOCLAW_POLICY_TIER value 'invalid_tier'.
Valid tiers: restricted, balanced, open.
Exit code is non-zero, no side effects.
Actual Result
Output (truncated):
[non-interactive] Agent: OpenClaw
NemoClaw Onboarding
(non-interactive mode)
===================
[1/8] Preflight checks
──────────────────────────────────────────────────
(all preflight checks ✓)
[2/8] Starting OpenShell gateway
──────────────────────────────────────────────────
[reuse] Skipping gateway (running)
Reusing healthy NemoClaw gateway.
[3/8] Configuring inference (NIM)
──────────────────────────────────────────────────
[non-interactive] Provider: build
NVIDIA_API_KEY (or NEMOCLAW_PROVIDER_KEY) is required for NVIDIA
Endpoints in non-interactive mode.
Exit code: 1 (failure, but reason is missing API key, not invalid tier)
No message anywhere in the output mentions the bogus tier value. Preflight
+ gateway setup completed despite the invalid configuration.
Logs
$ env | grep -E "NEMOCLAW_(POLICY_TIER|API|NON)"
NEMOCLAW_POLICY_TIER=invalid_tier
$ nemoclaw --version
nemoclaw v0.0.44
(see Actual Result for full onboard output)
Suggested Fix
Validate NEMOCLAW_POLICY_TIER as an early step in the onboarding
entrypoint — before preflight, gateway setup, or any other side-effectful
work — and bail with a clear error listing the valid tiers when the
value is not in {restricted, balanced, open}.
Alternative: if the intent is to accept bogus values silently and just
fall back to the default tier, then update commands.md to remove the
"onboarding exits with an error" claim and document the actual fallback
behaviour.
Bug Details
| Field |
Value |
| Priority |
Unprioritized |
| Action |
Dev - Open - To fix |
| Disposition |
Open issue |
| Module |
Machine Learning - NemoClaw |
| Keyword |
NemoClaw, NemoClaw_Docs, NEMOCLAW_GH_SYNC_APPROVAL |
[NVB#6186946]
Description
Description
commands.md (rendered at https://docs.nvidia.com/nemoclaw/latest/reference/commands.html, "nemoclaw onboard" section) makes this explicit claim about the NEMOCLAW_POLICY_TIER environment variable: "If the value does not match a known tier, onboarding exits with an error listing the valid options." On NemoClaw v0.0.44, this is not true. Setting NEMOCLAW_POLICY_TIER to a bogus value does NOT cause onboarding to exit during parsing/preflight. Onboarding proceeds through: [1/8] Preflight checks (passes) [2/8] Starting OpenShell gateway (passes — reuses healthy gateway) [3/8] Configuring inference (NIM) (fails because of an unrelated reason, usually a missing credential) so the invalid tier value is silently accepted (or silently ignored) through at least preflight and gateway setup. A user who fat-fingers the tier name will only learn about it later, after several steps of side-effectful work — and only if they happen to look at the log carefully. In a CI run that pre-populates the API key, an invalid tier could pass through entirely unnoticed.Environment Steps to Reproduce1. Read the "NEMOCLAW_POLICY_TIER" paragraph in commands.md (under the nemoclaw onboard section): "If the value does not match a known tier, onboarding exits with an error listing the valid options." 2. Run onboarding with a bogus tier value: NEMOCLAW_POLICY_TIER=invalid_tier \ nemoclaw onboard --non-interactive --yes-i-accept-third-party-software 3. Observe what happens.Expected Result Actual Result Logs Suggested FixValidate NEMOCLAW_POLICY_TIER as an early step in the onboarding entrypoint — before preflight, gateway setup, or any other side-effectful work — and bail with a clear error listing the valid tiers when the value is not in {restricted, balanced, open}. Alternative: if the intent is to accept bogus values silently and just fall back to the default tier, then update commands.md to remove the "onboarding exits with an error" claim and document the actual fallback behaviour.Bug Details
[NVB#6186946]